Español | English
rss facebook linkedin Twitter

Dridex Learns New Trick: P2P over HTTP

After several months we finally got an answer for the question asked by our friend Roman on this post regarding the infamous Cridex/Feodo/Geodo/Dridex saga. Back then we witnessed the birth of a new Feodo variant baptized as Dridex and just few days ago S21sec's Ecrime department detected a new Dridex variant which incorporated noticeable changes.

The sample was detected by our Dridex botnet tracking system when it failed to automatically analyze the last binary update pushed by the C&C. We were surprised to find out that its version number was 2.0.17 (131089) a big leap forward, compared with those found on previous samples which we have seen growing steadily from 1.0.135 (65671) to 1.0.158 (65694).

Besides the ciphering of the config (which previously has always been in plain text), the change that immediately caught our attention was the presence of a new tag within the XML exchanged during trojan's communication with the C&C.

In the following picture we can see the reference to the new tag within sample's code:

Another important and noticeable change is that this new variant runs a built-in HTTP server which listens at port 80.

As you can see in the following Wireshark screenshot, peers use basic auth to connect with each other:

The bot notifies other peers of its existence by sending the following message:

Over the last three days, all the requests issued to this botnet resulted in an empty response, so we presume that since then it relays fully on P2P for botnet management and update.

We would like to remark that the P2P traffic is done over HTTP. We can only guess why trojan developers decided to do so, but on the basis that it is for sure neither  for performance nor for efficiency, we presume that the desired goal is to make it as stealthy as possible and at the same time rise the probability of peers being able to connect with each other by using the default HTTP port.

As long as we can see, updated configuration files target more than 120 entities from more than 20 countries,  including many from Southeast Asia, and targeting several sectors besides banking one such as: Online Digital Media, Online Hosting and Online Advertising.

As you can see, trojan developers keep improving their code and adding new features to hinder botnet tracking and shutdown. This time is has been Dridex, although we are noticing changes in other malware families which we hope to disclose in future posts.

S21sec Ecrime

The real danger of BadUSB

The last BlackHat USA conference presented a hack technique, BadUSB, that has recently gained much attention. Although not completely new, it does pose serious security vulnerability to  USB devices.

A BadUSB attack basically involves reprogramming a normal USB device (usually a pen drive based on a reprogrammable microcontroller with a well-known architecture) to act maliciously.

As pointed out in the BlackHat talk, using USB devices for malicious activities was already a widely-known technique. Examples include:
  1. Virtual CD-ROM Attacks through AutoRun using a U3 USB flash drive.
  2. Malicious keyboard attacks using Rubber Ducky or Teensy.

The creators of BadUSB also propose other interesting tactics. For instance, configuring a USB device to spoof an Ethernet network card and through the DHCP assign a new gateway or a new DNS server that can then intercept traffic.

All of these attacks pose a risk to your computer. But there are a number of security measures to prevent these threats.

The act of reprogramming a USB device to behave maliciously isn't new either. In 2013 a technique was presented for reprogramming Webcam firmware to disable the LED that shows that the camera is capturing pictures . The same paper mentions the possibility of using this firmware update to perform other malicious tasks.

But extending this technique to any USB device with updatable firmware is what makes this idea dangerous.

And what makes a BadUSB attack truly frightening is the possibility of combining these techniques and reprogramming several legitimate and apparently innocuous USB devices to create a combined attack.

These attacks also carry a series of difficulties when it comes to detection:
  1. Infection is more difficult to detect since the modified device is external to the main system.
  2. Some USB devices are portable and can therefore easily be used to spread infection.
  3. The infection remains even if the hard drive is formatted or the CPU is changed.
Some USB devices are internal (for example, the majority of webcams, SD card readers, smartcard readers, biometrics in new laptops), which makes it easier for hackers to maintain the infection.

By combining this technique with other types of devices we can find serious cyber-attack scenarios. An example is using a USB stick as the initial attack vector and a device that is permanently connected to the computer (such as a webcam or printer) as a persistent infection vector. For example: making the device detect when the computer is booting, becoming a bootable pen drive that loads a modified version of the operating system.

They could even be made to work in anti-forensic mode. The microcontroller can allow the device to function in its original state or erase itself after infecting the system.

It is likely that we'll shortly see real cases of the combined use of several infected devices of this type functioning as implanted devices like the ones listed in the NSA's ANT catalog.

Ramón Pinuaga
S21sec assessment

Train yourself as a professional in the field of industrial security

The European Agency for Network and Information Security (ENISA) in its 2011 report, ",”Protecting Industrial Control Systems. Recommendations for Europe and Member States", stated in its recommendation No. 4 the need to foster training and awareness on cyber security in industrial automation and control systems. In particular, this recommendation highlights the need for ongoing initiatives to be focused on standards and security best practices and to address, among others, crosscutting topics such as technology, security solutions, etc. It also recommends that guiding principles should be: i) to highlight particular aspects of different sectors; ii) avoid duplication with other similar initiatives; iii) ensure the quality of parties involved. Moreover, this recommendation identifies public agencies as potential leaders in this field.

In response to the needs identified by ENISA, INTECO has developed a MOOC course on cyber security in industrial automation and control systems. This initiative is one of the results of the measures identified in the Spanish Digital Trust Plan aiming at building an ecosystem for attracting and generating talent around INTECO, in collaboration with universities and the private sector and always looking the complementary action of other initiatives that are developing agents for the training of professionals.

Miguel Rego
Miguel Rego, INTECOs CEO

The course is primarily aimed at professionals of Information Technology (IT) with knowledge in the management of IT security, vulnerability analysis and security solutions (surely, if you're reading this publication, you have felt identified). Throughout the seven teaching units you will learn the fundamental concepts of industrial automation and control systems and infrastructures, and particularly the smart grid, including PLCs, RTUs, SCADA, MES, BATCH systems among others, as well as the fundamentals of cyber security that affect them. Aspects such as vulnerabilities, threats, risks, attack techniques, and the main good practices, principles of defense and ongoing security initiatives currently will be covered.

If you are already interested, here you can find the list of modules.


The course has been developed in collaboration with S21secLogitek and Tecnalia, companies of international reference in the field of automation and control systems security, of automation and control systems themselves, smart grids, as well as on existing security solutions. Moreover, thanks to the contribution of the Centre for Industrial Cybersecurity, the course counts with the collaboration of professionals like Ayman Al-Issa,Patrick Miller and Ruben Santamarta.

The course, free of charge, is rich and unique in Spain and is offered through the MOOC (Massive Open Online Courses) philosophy, which is, online, massive, and open to everyone. Under this paradigm, information sharing among the community of students and collaboration between them is key to overcome the course.

The course is available on the new training platform of INTECO, which is based on this new training paradigm. The advanced course in industrial cyber security will be the first of the many topics for which courses will be offered. If you decide to register, you must know that this platform provides you with educational resources such as presentations, video tutorials, downloadable documentation, self-assessment exercises, forums where to raise questions and learn with your future colleagues, spaces where you can create collaborative notes (wikis), and tools for collaborative correction (P2P) of evaluation exercises. Additionally, you will get reputation levels (karma) in the community based on your participation in spaces for interaction among students (i.e. Forum and wiki). Moreover, once passed the mandatory activities of the course, you will have a diploma certifying that you have overcome the course.

We believe this is a unique opportunity for you, so we encourage you to register on the platform and enroll in the course (on October 27, contents will be already available, and the registration deadline is November 3). You also see that this course is available in both Spanish and English, thus strengthening the international vocation of the training initiatives of INTECO. We hope it is to your liking and enjoy it as much as we enjoyed preparing it.

New malware targeted attacks on ATMs hit the banking industry

Recent events are unveiling a growing trend for targeted attacks aimed at ATMs or Kiosks that are severely impacting the banking industry.

While traditional ATM skimming attacks are spreading across a wide variety of devices, from train ticket kiosks to parking meters and other unattended payment terminals , using malware to "cash out" ATMs appears to be the trendiest cybercrime tactic.

A recent investigation from the international police organization Interpol has detected a new type of malware which allows the criminals to gain full control of the ATM allowing them to steal huge amounts of money in cash without having to use a credit or debit card.

The new generation malware, named Tyupkin, is said to have infected ATMs in Europe, Latin America and Asia, stealing millions of dollars in cash.

Tyupkin’s modus operandi differs from traditional ATM malware in that its intention is not to capture card and PIN information from customers, but rather to hit the bank in the face by draining cash directly from the ATMs without the need for customer data.

ATM Malware Waits for Instructions

The Tyupkin malware literally allows an attacker to tell an ATM to dispense money. It enables an attacker to use the ATM PIN pad to submit commands to the Trojan, without the need for a credit or debit card.

Here's how the Tyupkin attack works:
  • Criminals need to gain physical access to the ATMs to insert a bootable CD which installs the malware. After a system reboot, the ATM is under control
  • The malware runs in the background awaiting a command that is only accepted at specific times, making it harder to detect
  • A unique random combination key is generated to activate the malware. The criminal enters the key in the PIN pad, and then receives a phone call from another member of the gang, with  a session key based on the number shown on the ATM's screen.
  • When this session key is entered correctly, the ATM displays details of how much money is available in each cash cassette. After choosing a cassette to steal from, the ATM dispenses 40 banknotes at a time

From HeartBleed to ShellShock

#celebgate, or what 4chan has jokingly labelled “The Fappening”, is the second most commented event of the month after ShellShock, essentially because the target is a long list of high-profile celebrities and because, considering the circumstances, the hacking offence may very well go unpunished.

In mid August, the first wave of private photos depicting famous actresses was posted on 4chan, seemingly hacked from their iCloud accounts. At the time Apple identified a vulnerability that had allowed brute force attacks on accounts. But that didn't stop a new batch of private photos and videos of female celebrities from being released in mid September.

Despite all of the investigations and complaints, and seeing in 4chan, known for its "anonymous" actions, may be behind the attack, it doesn't look like the hackers responsible for the photos of Scarlett Johansson and other celebrities will be caught any time soon.

The fact is that to a certain extent we're no longer surprised by cases of stolen credentials. We know that at any time our passwords can be compromised many different ways:
  1. Stolen data from service websites, such as the hacked Sega Pass system in 2011, is just one example. And the bar is raised every day with incidents such as    Tripadvisor's partner Viator.
  2. Specific malware installed to steal email account credentials. This is how, for example, Russian hackers gained access to millions of gmail accounts and Russian email providers.
  3. Phishing scams that ask you to provide personal information in the name of apparently legitimate organizations or which offer lucrative business schemes are sent indiscriminately to your inbox or are hidden in adware.
  4. etc.
The thing is that today our digital identity is spread across a number of online services (google, facebook, linkedin, twitter, iCloud, drive, Outlook, etc.) where, in most cases, the only security measure is a password, and in most cases, we use the same password for a number of these services, not to mention our user accounts for online shopping, forums, etc.). Oh, and let's not forget our financial services and the services provided for the companies we work for.

We are what we are on the Internet. In the worst case scenario, our entire reputation hangs on a password: if someone manages to retrieve the password for one of your main accounts, he pretty much has control over the rest.

Security depends on second-factor authentication, the much-used trusted third party authorization, the model exploited in the now historic PKIs (now back in fashion; you know what they say: "If you wait long enough, it will come back in style"). So, mechanisms to secure this key part of our digital lives exist even though they're not implemented.

And like all maladies, prevention is better than studying the symptoms, so what's keeping us from applying second-factor authentication to our main accounts? Basically, the lack of awareness surrounding security, especially in critical environments. No, Hollywood starlets and their tawdry photos do not constitute critical environments.

The information handled by CEOs, CIOs, CTOs, CISOs and other senior executives does. Not to mention presidents and members of corporate boards of directors, the latter of which often run the greatest risk in their day-to-day online transactions. Whenever we talk about cybersecurity, it is important to understand that awareness must permeate the organization from the top to down, creating and setting an example.


Kronos is here...

Early in July, news regarding an alleged new Banking Trojan called Kronos have shown up in underground forums. Unfortunately there were no real evidences to confirm the existence of this threat, except for the selling ads highlighting its main features, which were:
  • Credential stealing and form grabbing that supports Internet Explorer, Firefox y Chrome
  • HTML web injection (technique used to perform Man in the Browser attacks)
  • Rootkit that works on 32/64 bit operating systems
  • Antivirus evasion
  • Sandbox evasion
  • Encrypted communication channel with the C&C

Well, it certainly did not take too long for it to appear in the wild...

Last week our Automatic Malware Analysis Platform detected a suspicious binary that grabbed our attention. After taking a closer look at it, it contained a string that caught our eye:

Once we got "hands on" with the reversing we found evidences which confirmed that, indeed, its features matched with those attributed to Kronos.

As a curiosity we noticed some sort of hidden message which may had been left there for us, for the analysts in mind, saying: "keep digging" due -we guess- to the sample's heavy protection and anti reverse engineering tricks:

We can see that message above, among other decoded strings such as the User Agent strings it uses and a list of common debugging tools and virtualization software process names.

Once we managed to fool the Trojan that it was not running under a controlled environment, we were able to see the malware in action as it connected to the C&C and downloaded its configuration file which, as usual, is encrypted...

... we were able to decode it and unsurprisingly contained Zeus-style "web injects" (a mix of HTML and Javascript code used to trick the user).

Below is a snippet from the decoded configuration file showing Javascript code that once injected into the session of the victim's browser is able to drive the user through the various steps needed to complete a fraudulent transaction without the user's awareness:

This particular sample config file targeted only French financial institutions, but there may be other samples in the wild using different settings against different banking systems.

Finally, this is how the admin login page looks like for the webinjects and also for the main control panel:

Thanks for reading, and please come back for further information we hope to publish soon.

Jozsef Gegeny
S21sec Ecrime
The MD5 signature of the file analyzed by S21sec was: f085395253a40ce8ca077228c2322010

New Feodo variant follows Geodo steps

Cridex (aka Feodo/Bugat) activity reached its zenith towards the end of 2013 and early 2014 in which it almost disappeared until it returned again in June reincarnated as what the guys at baptized as Geodo.

Earlier this week, S21sec's Ecrime team detected what seems to be an evolution of one of the old variants -unrelated to Geodo- which has new and noteworthy features.

First of all, it uses a loader with limited functionality as the first infection step used to download the main trojan module in the form of a DLL using the following paths and injecting itself into explorer.exe as in earlier versions:

Trojan network communication is done through the typical 8080 although the path is a bit different from what we are used to:

Once the installation step is completed, the trojan downloads the configuration file which is just a gzip file with a fake header:

The config file uses the XML like format seen on previous versions which has the following structure:
  • modules: Embedded new modules encoded in Base64:
    • vnc_x32
    • vnc_x64
    • socks_x32
    • socks_x64
    • bot_x32
    • bot_x64
  • httpshots y clickshots: URL patterns for which the trojan must perform screenshots
  • formgrabber: URL patterns used for form grabbing
  • bconnect: Back Connect Server
  • vncconnect: VNC Server
  • redirects: External resources references used on injections
  • httpinjects: Entity URL patterns with their corresponding injections

Affected entities seems to be mainly from UK, Ireland, United Arabian Emirates and Qatar, with some injections designed to bypass second authentication factor which, in combination with the VNC module, will allow the attacker to supplant the victim's online banking session.

So it seems that after some months of silence on Cridex world, a new old friend (dressed up for the ocassion) joins Geodo on its journey.

Santiago Vicente
S21sec Ecrime
Follow us on Twitter: @smvicente, @S21sec, @S21secSecurity

The MD5 signatures of the files analyzed by S21sec were:
  • loader: 9d81ac7604ef2a0096537396a4a91193
  • bot_x32: 04b55edf43a006f9c531287161fa2fa8
  • vnc_x32: c73c3c18b74c67e88d5b3f4658016dcd
Other hashes for the rest of the modules are:
  • vnc_x64: 5ecfc1d3274845bf5ff3f66ca255945e
  • socks_x32: 53eb0e59b5bb574df5755527dc3d4f47
  • socks_x64: 0dfc66eadbd9e88b2262ac848eadee8f
  • bot_x64: 4df1cef98bbc174ba02f17d2ca6c0a58

(+34 902 222 521)

24 hours a day, 7 days a week

© Copyright S21sec 2013 - All rights reserved